Heartbleed, 28 Weeks Later

Six months ago, when the Heartbleed bug threatened your bank account, your passwords, and your online life, people suddenly cared about OpenSSL, the open source version of crucial security standards that keep safe huge swaths of the Internet. They wanted to know what it all meant and who was responsible for keeping them safe. (As it happens, the people most closely involved were two middle-aged guys called Steve.)

But at LinuxCon Europe 2014, a conference for the open source software movement held earlier this month in Düsseldorf, Germany, 11 OpenSSL developers—most of them volunteers who had jetted in from around the world to meet in an anteroom off the main convention floor—were roundly ignored.

Many of the issues which were brought to light when Heartbleed hit the news—understaffing, under-resourcing, and the most gaping security holes—have been fixed in the past six months. Though there are still occasional security flare-ups, they are few, far between, and less momentous than Heartbleed. For many attendees at LinuxCon Europe, it was a case of “out of sight, out of mind.”

But that didn’t make the presence of the OpenSSL team—only two of whom work full time on the project—at the conference any less momentous. The group (minus four who couldn’t make the gathering) were meeting in person for the first time ever.

The OpenSSL team gets their first family portrait. (OpenSSL)

In April this year, it was revealed that a vulnerability in OpenSSL allowed hackers to pilfer 65,536 characters of plain text from servers with impunity. Despite the “open” in the name, what OpenSSL does is to create an encrypted link between users and servers. A coding slip-up caused the encryption to fail. That meant malicious actors could potentially have access to everything you’re told to keep secret: passwords, bank account details, everything.

At the time, OpenSSL’s developers suddenly found themselves in the spotlight as people realized the size of the gaping hole in the Internet’s security, and the shoestring budget with which a small handful of volunteers were protecting our online lives using code first written in 1994.

Internet users have had to deal with a lot of panic in the past few months. Soon after Heartbleed came news of two more momentous vulnerabilities, Shellshock and Poodle. In fact, users should feel reassured. The more bugs you find, the more bugs you can fix.

And the recent spate is partially due to efforts by big Internet companies, including Google (which first discovered Heartbleed), to tighten web security after the Snowden disclosures revealed the extent of government snooping on their private networks, according to Matthew Prince, who runs Cloudflare, a web infrastructure firm.

The world has moved on from Heartbleed. The OpenSSL team hasn’t.

What Heartbleed did was raise several issues to those who work on the code day in and day out. One immediately correctable problem was the fact that no more than a handful of its developers had ever stood in the same room and discussed what problems they ought to tackle first.

The group had planned to spend three full days on the sidelines of the conference working out what needed to be done. But the pre-emptive leak of another vulnerability, nicknamed Poodle, took precedence. Three days became one-and-a-half as most of the team concentrated on patching the big new problem as well as three more they turned up at the same time, working late into the evening of October 14th.

“The restaurant at our hotel was very tolerant of us staying there until 1 a.m. every night,” says Steve Marquess, a former U.S. Department of Defense consultant who now oversees the running and sustainability of the group who maintain the OpenSSL code base.

And though many of the OpenSSL group members who gathered in Germany traveled back home and went back to their day jobs bleary-eyed, from November 10th there’ll be one less person who has to juggle his 9-to-5 job with keeping OpenSSL running healthily.

Matt Caswell, a 42-year-old father of two currently working as a solutions architect designing IT systems for large organizations and the U.K. public sector, will shortly be OpenSSL’s third full-time employee. He’ll be needed: The protocol is about to go through a major test.

Also in attendance at the conference in Düsseldorf was Linus Torvalds, the creator of the Linux operating system and a fellow of the Linux Foundation. The team didn’t meet Torvalds, but the Foundation has helped enact one of the biggest developments in OpenSSL since its creation two decades ago: a complete audit of the current code base, going through it with a fine-tooth comb to plug any holes that allow hackers access.

Kenneth White, who will lead the effort, says that the audit, which starts in January 2015, is “probably one of the most ambitious security revisions in recent history.” It’ll combine an automated search of the code base with a “fairly intense manual review,” he says. They hope to carry out the core analysis on the OpenSSL code base within six months so that OpenSSL 1.1 can be released by midsummer—thought it may very well take longer to ensure it’s all working as it should.

Half a year on from Heartbleed, what’s changed?

For one thing, most of those working behind the scenes can now put faces to the names they interact with via email every day. As both Caswell and Marquess explain, getting the measure of one’s fellow volunteers in a real-life situation can help gauge their reactions on email. And on a purely practical level, group productivity goes through the roof when in the same room, rather than at other ends of an email chain.

The group—or as many as could travel to Germany—also got their first family portrait, taken by an unsuspecting conference attendee who just happened to be passing and was asked to record the occasion with a quick snap. The photograph is a happy memory for Steve Marquess in what has been a difficult year, but it’s also a permanent reminder of the task yet to come.

“We’re still conscious we have 15 years of catching up to do,” he admits.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.

Chris Stokel-Walker is a journalist based in the U.K. His work has appeared in The Guardian, The Economist, and Buzzfeed.